Skip to content

Commit

Permalink
links
Browse files Browse the repository at this point in the history
  • Loading branch information
tomrade committed Jul 25, 2020
1 parent 56fc4aa commit d71bd1d
Showing 1 changed file with 6 additions and 3 deletions.
9 changes: 6 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
# evtx-nom
EVTX log file ingestion (no Windows required) using amazing ![evtx-rs](https://github.com/omerbenamram/evtx) lib. Current output target is Elasticsearch with the hope of a modular output in the future.
EVTX log file ingestion (no Windows required) using amazing ![evtx rust](https://github.com/omerbenamram/evtx) lib. Current output target is Elasticsearch with the hope of a modular output in the future.

* Elasticsearch output uses ECS common schema output (ive stayed close to winlogbeat however I use lowercase field names under winlog as I feel that is in the spirit of ECS better than the Camel Case used in winlogbeat)
* ECS mappings are done via a config file you can add your own maps to
* Event log message string reconstruction from the ![WELM](https://github.com/nsacyber/Windows-Event-Log-Messages/blob/master/docs/Datasets.md) project , where possible the event_data/user_data variables are put back into the string

## Install

pip install requirements
* pip install requirements (note there is no wheel for evtx on some platforms for the lastest python. (worked for me on 3.8 python on Ubuntu), if you are desperate to use on a newer version you need to compile evtx from source ![ref](https://github.com/omerbenamram/pyevtx-rs))
* Clone this repo
* Edit config "config.json" file
* Execute "evtx_nom_cli.py"

## Usage

Expand Down Expand Up @@ -183,7 +186,7 @@ mapping_dict = {

This is so I can find as match based on "for X in mapping_dict" rather than a nested search tree, im not if this is better/faster or not , but I feel a dictionary check in RAM would be better/faster than a DB even with memcache

#### Example Elasticsearch Doucment "_source"
#### Example Elasticsearch Document "_source"

``` json
{
Expand Down

0 comments on commit d71bd1d

Please sign in to comment.